mirror/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-04-15 17:05:43 +02:00
Code Issues Packages Projects Releases Wiki Activity

Restore Element Call HTTP headers to more secure/privacy-respecting values

Browse Source
This commit is contained in:
Slavi Pantaleev 2025-03-12 17:44:00 +02:00
parent f8e84c4b2f
commit 1e60f41a59
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
roles/custom/matrix-element-call/defaults/main.yml
View File

@ -86,7 +86,7 @@ matrix_element_call_systemd_required_services_list_custom: []
# Learn more about it is here:
# - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection
# - https://portswigger.net/web-security/cross-site-scripting/reflected
matrix_element_call_http_header_xss_protection: ''
matrix_element_call_http_header_xss_protection: "1; mode=block"
# Specifies the value of the `X-Frame-Options` header which controls whether framing can happen.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
@ -94,19 +94,19 @@ matrix_element_call_http_header_frame_options: ''
# Specifies the value of the `X-Content-Type-Options` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
matrix_element_call_http_header_content_type_options: ''
matrix_element_call_http_header_content_type_options: nosniff
# Specifies the value of the `Content-Security-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
matrix_element_call_http_header_content_security_policy: ''
matrix_element_call_http_header_content_security_policy: frame-ancestors *
# Specifies the value of the `Permission-Policy` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permission-Policy
matrix_element_call_http_header_content_permission_policy: ''
matrix_element_call_http_header_content_permission_policy: "{{ 'interest-cohort=()' if matrix_element_call_floc_optout_enabled else '' }}"
# Specifies the value of the `Strict-Transport-Security` header.
# See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
matrix_element_call_http_header_strict_transport_security: ''
matrix_element_call_http_header_strict_transport_security: "max-age=31536000; includeSubDomains{{ '; preload' if matrix_element_call_hsts_preload_enabled else '' }}"
# Controls whether to send a "Permissions-Policy interest-cohort=();" header along with all responses
#
@ -117,7 +117,7 @@ matrix_element_call_http_header_strict_transport_security: ''
#
# Of course, a better solution is to just stop using browsers (like Chrome), which participate in such tracking practices.
# See: `matrix_element_call_content_permission_policy`
matrix_element_call_floc_optout_enabled: false
matrix_element_call_floc_optout_enabled: true
# Controls if HSTS preloading is enabled
#